Showing posts with label Belkasoft Evidence Center. Show all posts
Showing posts with label Belkasoft Evidence Center. Show all posts

Using EnCase with the Latest Release of Belkasoft Evidence Center

Yuri Gubanov, Belkasoft

Belkasoft has just updated its digital forensics suite, Belkasoft Evidence Center, making the tool a true, all-in-one forensic solution. When seamlessly integrated with EnCase, the two tools can cover nearly every digital forensic need. Belkasoft Evidence Center helps you jump-start investigations by automatically discovering evidence gathered from many different sources.

In its biggest update in two years, Belkasoft has done more than learn a few new tricks. It now extracts and analyzes evidence from pretty much any data source you can imagine. Hard drives and drive images with Windows, Linux, Ubuntu, and many other operating systems; smartphone backups in all popular formats; UFED images and chip-off dumps; live memory dumps; and many virtual machines can be scanned for available evidence. This major update turns Belkasoft Evidence Center into a true, all-in-one digital forensic tool.

We added several new modules to bring about these changes.

So much evidence, so many artifacts, so little time…

Ken Mizota

I’ve recently taken to tweeting about some of the latest additions to EnCase App Central and it’s been a reminder of the impressive ingenuity and dedication within the digital investigations community. Our humble app store has grown to house over 100 solutions, extending and increasing the efficiency and efficacy of digital investigations. At Guidance Software, we take pride in shipping software that helps investigators find more evidence, faster and we see EnCase App Central as a key component of EnCase.

Using Belkasoft Evidence Center in EnCase Forensic Version 7

Robert Bond

I’d like to introduce you to a new tool that expands the data-extraction capabilities of EnCase® Forensic. Belkasoft Evidence Center makes it easy for investigators to search computer hard drives, disk images, and snapshots of a computer's volatile memory for many types of digital evidence.

This volatile evidence includes conversations made in social networks and can quickly locate chats carried over a variety of instant messengers. Analysis of the suspect’s online behavior can be done by investigating the browsing histories of all major Web browsers, the mailboxes of popular email clients, peer-to-peer data, and multi-player game chats.

Belkasoft Evidence Center automates the analysis of office documents by extracting plain text, metadata and embedded objects, allowing you to run searches and use the many powerful analytic features available in EnCase® Version 7.

Finally, Evidence Center helps automatically identify pictures and videos with scanned text, human faces and pornographic content. In addition, the tool can identify forged pictures (images that have been edited after leaving the camera), locate encrypted files, and analyze mobile backups, system, and registry files.

How Belkasoft Evidence Center Integrates with EnCase Forensic

Evidence Center is tightly integrated with EnCase Version 7, allowing investigators to acquire the many types of evidence supported by Evidence Center via the familiar EnCase user interface. After performing the acquisition, collected data can be processed and investigated inside of EnCase Version 7 with the many powerful analysis features.

The integration is implemented via the free “BelkasoftDataImport” plugin, allowing EnCase users to seamlessly access information collected by Belkasoft Evidence Center.

Integration Benefits

With the integration of the two powerful forensic products, EnCase users gain access to powerful data search and carving abilities provided by the Belkasoft technology. Belkasoft Evidence Center is designed specifically to collect information about suspects’ communications and online activities such as chats, postings and comments they make over a wide range of carriers. Its ability to carve data from allocated, unallocated or entire disk space sets it apart from similar tools, while its ability to capture and carve raw memory dumps makes it possible to discover many types of ephemeral evidence (see below).

Belkasoft Evidence Center can extract the following types of evidence:

  • Conversations carried over in a wide range of 80+ popular instant messengers (Skype, MSN, AIM, ICQ, Miranda, Trillian, the Chinese QQ Messenger, and many others)
  • Facebook, Twitter, Google+ posts and other social network communications (via Live RAM analysis)
  • Chats occurred in popular online computer games (e.g. World of Warcraft or Lineage) and peer-to-peer applications
  • Messages sent and received in Gmail, Hotmail and other webmail systems (via Live RAM analysis)
  • Regular emails (Outlook, Windows Live Mail and a wide range of other email clients)
  • Web browsing histories in all popular Web browsers (including Privacy/Incognito modes via Live RAM analysis)

Analyzes Windows, Linux and Mac OS X apps and file systems

Evidence Center supports Windows, *nix and Mac OS X file systems, and recognizes applications specific to these operating systems. This allows investigators analyze hard drives and memory sets collected from computers running almost any operating system in existence.

Automates document analysis

In addition to chats, emails and browsing histories, Belkasoft Evidence Center can discover and analyze documents, extracting plain text, metadata and embedded objects from many different types of files. Extracting plain text from a range of document formats allows running automated keyword searches through all of the suspect’s documents discovered on the computer.

Detects scanned text, human faces, pornography and forged images

The Ultimate edition of Belkasoft Evidence Center comes with the ability to analyze still images and videos for signs of scanned documents, human faces and pornographic content. The automated detection of illicit content saves investigators countless hours of manually searching through a system’s images. Discovers files that have been edited, launched or otherwise accessed

The latest editions of Belkasoft tools gained the ability to locate and analyze Windows artifacts such as jumplists. Jumplists contain information about files accessed by the user over the history of the machine. Jumplist history has not gained much recognition, and is often not affected by various “cleaners” and privacy tools. Analyzing jumplist items allows investigators to learn which files were created, edited, launched or otherwise accessed months or even years ago. Jumplists contain information about access to files that have been deleted, allowing investigators to obtain evidence that a certain file existed in a certain location.

Integrating Evidence Center with Guidance Software EnCase

To start using Evidence Center, you will need to install the tool. Obtain the product and EnCase integration script from the App Central and install it by placing the BelkasoftDataImport.EnPack file into your EnCase script folder (normally, that would be "C:\Program Files\EnCase7\EnScript\EvidenceProcessor\").

You will also need to place the script license file BelkasoftIntegration.EnLicense to your EnCase license folder (normally, "C:\Program Files\EnCase7\License\").

In a final integration step, open the "ModuleList.EnScript" in "C:\EnScript\EvidenceProcessor\". If this file does not exist, create it. Add the following string: include "BelkasoftDataImport.EnPack"

Congratulations! You have just completed the integration, and can start using Evidence Center.

Start Using Evidence Center

To start using Evidence Center, first add some evidence files to your case. Open "Evidence Processor" and select an evidence file you would like to analyze. You should see the "Belkasoft Data Import" module available in the module list. Tick the box and click OK.

Belkasoft Evidence Center will be launched. You will be prompted whether you’d like to carve data or analyze existing files. You can skip either option by clicking the Cancel button in the corresponding dialog.

Wait until all tasks are finished. During the analysis you can cancel any task in the Task Manager window. When all tasks are finished, close Evidence Center. Once you've done that, the data will be imported into EnCase automatically. It’s that easy!

Using EnCase to Analyze Evidence Collected with Belkasoft Evidence Center

Now you’re ready to begin analyzing the data collected by Evidence Center. In EnCase, navigate to the Records tab, select drive image you’ve just analyzed, and open "Belkasoft Data Import – Records".

Under "Belkasoft Data Import – Records," you will find the results extracted by Belkasoft Evidence Center.

Exclusive to EnCase Customers

Belkasoft Chat Analyzer and Chat and Social Analyzer offer many more valuable features at a much lower price point compared to what is available on the Belkasoft Web site. The following Belkasoft products are available at special pricing to EnCase® Forensic and EnCase® Enterprise Version 7 users, and can be purchased exclusively through EnCase® App Central:

  • Belkasoft Chat Analyzer
    Exclusive pricing for EnCase customers! Identical, feature-wise, to Belkasoft IM Analyzer, which sells for a regular price of $499.
  • Chat and Social Analyzer
    Chat & Social Analyzer includes many more essential features compared to the Belkasoft IM Analyzer. Basically, it adds the abilities to carve volatile memory dumps for remnants of social networking communications.
  • Evidence Center Pro
    This edition is similar in most respects to Evidence Center Pro available from Belkasoft’s Web site, the App Central edition adds the ability to carve disk space for destroyed evidence, and introduces email and browsing history analysis.
  • Evidence Center Ultimate
    This edition is similar in most respects to Evidence Center Pro available from Belkasoft’s Web site, the App Central edition adds the ability to extract text from office documents and identify pictures and videos with content of interest (scanned text, human faces, pornography).